# Google Cloud Platform - Google Kubernetes Engine Administration

This document describes administration procedures for creating and using
a Kubernetes cluster on Google Cloud Platform.

Disclaimer: This document is *NOT* a substitute for the Google Cloud Platform
documentation. Please read their documentation for updated and accurate
information.

## Accounts and Projects

Accounts related to SSEC work or other University of Wisconsin work must be
created by DoIT. See https://it.wisc.edu/services/google-cloud-platform/ for
more information. By working with DoIT you should get access through your
Google Suite `@wisc.edu` account to a GCP "project" that you've named. You can
then login to the GCP Console (https://console.cloud.google.com/) where you'll
have access to everything related to your work on GCP.

NOTE: Once logged in, be careful not to create resources on GCP unless you
know what you are doing, even in tutorials. Otherwise you may end up
accidentally charging to your business account.

## Service Accounts and Kubectl

GCP allows you to create "Service Accounts" for controlling access to specific
parts of a GCP project. This is useful for automating access to your future
GKE cluster from GitLab (or other) Continuous Integration (CI) jobs. Note that
a GCP Service Account is different than a Kubernetes Service Account.

To create a Service Account, first read through:

https://cloud.google.com/iam/docs/service-accounts

Next, go to your GCP Console, click the menu in the upper-left and go to
"Project Settings". From there click on "Service Accounts" and then
"+ CREATE SERVICE ACCOUNT". Follow the instructions to create your service
account. To give your SA permission to create resources on your Kubernetes
cluster give it at least the "roles/container.developer" role. See
https://cloud.google.com/iam/docs/understanding-roles#kubernetes-engine-roles
for more information.

Once created you will likely want to create a key to authenticate to GCP
from your CI environment. Click the 3 dots to the right of your newly created
key in the list of Service Accounts and select "Create key". See
https://cloud.google.com/iam/docs/creating-managing-service-account-keys
for more information.

Now that you have that key, you should be able to use the `gcloud` utility
(must be installed separately) in your CI jobs to:

```bash
gcloud auth activate-service-account <sa-account-name>@<gcp-project-id>.iam.gserviceaccount.com \
    --key-file=/path/to/json/key/you/downloaded.json
```

Now you can get the kube cluster configuration information by doing:

```bash
gcloud container clusters get-credentials <cluster-name> --zone <zone-name>
```

This will likely write information to `~/.kube/config` about your cluster. You
can then use `kubectl` as normal (unless there are multiple clusters
configured then you may need to use the `--cluster`).

If your SA account includes the "Project/Viewer" role you can do:

```bash
gcloud config set project <project-id>
```

If the above gives you a warning then double check the Project/Viewer role
has been added to the Service Account. Otherwise, try enabling this API:

https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=<project-id>

And then try again. If that still doesn't work try this Stackoverflow thread
for more help: https://stackoverflow.com/a/59931415/433202

## Install Helm

Follow the instructions in the Helm documentation in the Google web console:

https://helm.sh/docs/intro/install/#from-apt-debianubuntu